[tor-talk] Tor Browser disabling Javascript anonymity set reduction

Maxim Kammerer mk at dee.su
Sun May 13 22:25:54 UTC 2012 

On Mon, May 14, 2012 at 12:26 AM, Mike Perry <mikeperry at torproject.org> wrote:
> I do *not* believe we can capture that userbase if we ship a
> JS-disabled-by-default browser.

First, I would like to say that I agree that Javascript and other
popular features (e.g., CSS, HTML5 video) need to be enabled by
default, since this is what the users expect. It is not 1995 outside,
and regular web browsing should include the usual capabilities
expected of it. Not talking here about non-standard, insecure and
outdated hacks like Flash that need to die, of course.

All these frequent discussions about Javascript etc., however, revolve
around an inherent conflict of interest. You (in general — i.e., the
Tor project) want to attract a large userbase that will benefit the
Tor network as a whole, and yet there is a sizable core group of users
who require strong anonymity (not pseudonymity). Yet, by actually
defining the anonymity set as one using those popular features, you
basically force that core group to shift from anonymity towards
pseudonymity once they selectively or completely block Javascript,
install ad blockers, disable HTML5 extensions, etc. All that while the
large userbase you want to bring in would be content with
pseudonymity, yet you do not want them to block ads, for instance.

So why not provide two profiles for the groups? I.e., a Torbutton-like
interface, but one switching between the two profiles. The regular
profile is as TBB is now, with a whitelist of approved addons (like
Ad-Block Plus, I guess), which can update and change their internal
state (e.g., filter lists) whenever they want. The hardcore profile
uses a carefully restricted subset of HTML, CSS, Javascript, etc.,
with a hard-coded list of addons and their internal state. If some
site doesn't work, the user has a choice to switch to the normal
profile, but will in that case be aware that his anonymity is most
likely less anonymous and more pseudonymous now.

Otherwise, this continuous patching of an inherently non-anonymous
solution seems like a task of Sisyphus to me. Consider a site that
follows user's mouse movement and other unique behavior, and then
classifies users by that data, for instance. Once some grad student
implements this approach, and thousands of sites adopt it as a
reliable fingerprinting technique, what will you do?

-- 
Maxim Kammerer
Liberté Linux (discussion / support: http://dee.su/liberte-contribute)

More information about the tor-talk mailing list